b"Audit of NARA\xe2\x80\x99s Data Backup Operations\n\n\n\n      OIG Audit Report No. 13-09\n\n\n\n             July 9, 2013\n\n\x0cTable of Contents\n\n\n\nExecutive Summary ........................................................................................ 3\n\n\nBackground ..................................................................................................... 4\n\n\nObjectives, Scope, Methodology .................................................................... 6\n\n\nAudit Results................................................................................................... 8\n\n\nAppendix A \xe2\x80\x93 Acronyms and Abbreviations ............................................... 24\n\n\nAppendix B - Management\xe2\x80\x99s Response to the Report ................................. 25\n\n\nAppendix C - Report Distribution List ......................................................... 26\n\n\x0c                                                             OIG Audit Report No. 13-09\n\n\nExecutive Summary\n\nOrganizations should routinely duplicate or back up data files, computer programs, and\ncritical documents. This assists in the organization\xe2\x80\x99s ability to ensure uninterrupted\noperations by providing reasonable and timely data recovery capabilities. Our objective\nwas to determine whether NARA had a systematic, accountable, and documented process\nfor restoring original data after a data loss event. Specifically, our review focused on\nwhether NARA had documented plans and procedures for backing up data, whether\nbackups were occurring on a regular basis, whether backups were tested to verify media\nreliability and information integrity, and whether the backup copies of the operating\nsystem and other critical information system software were stored in a separate facility\nfrom the operational software.\n\nOverall, with the exception of the ERA, successful backups were accomplished on a\nregular basis for the systems reviewed. A full backup for one instance of the ERA\nsystem has not been accomplished since May 2011. In addition, security control\nweaknesses existed within NARA\xe2\x80\x99s data backup operations which jeopardize NARA\xe2\x80\x99s\nability to sufficiently protect the confidentiality, integrity, and availability of data\nbackups. For example, backup tapes containing Personally Identifiable Information (PII)\nwere not encrypted to protect the information while stored offsite; backups were not\nregularly tested to ensure data could be restored in usable form; and backup media was\nnot rotated offsite each week as prescribed. Without information system backup controls\nto protect data backups, there is an increased risk recovery operations could be delayed or\ninformation could be lost.\n\nThe audit also identified an opportunity for cost savings related to excess Iron Mountain\nstorage containers in NARA\xe2\x80\x99s possession. Over the last seven years, NARA has spent\nabout $31,900 that could have been put to better use. NARA decreased the number of\ntapes and other storage media stored offsite but did not return the excess containers to\nIron Mountain. By reviewing and reducing the number of containers kept in the rotation\nfor offsite storage, NARA could significantly reduce the cost of this service.\n\nPayments made for offsite storage of backup tapes need further review to determine\nwhether NARA\xe2\x80\x99s procurement process as well as Federal laws and regulations were\nviolated. In addition, the payment for offsite storage costs may have been improper, and\nif so, NARA has paid approximately $48,712 over the last four years that could have\nbeen put to better use.\n\nThis report makes 11 recommendations to strengthen the management, accountability,\nand oversight of the data backup and recovery processes at NARA.\n                                         Page 3\n                      National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 13-09\n\n\nBackground\n\nInformation systems are vital elements in most mission/business processes. Because\ninformation system resources are so essential to an organization\xe2\x80\x99s success, it is critical\nthat identified services provided by these systems are able to operate effectively without\nexcessive interruption. Contingency planning supports this requirement by establishing\nthorough plans, procedures, and technical measures enabling a system to be recovered as\nquickly and effectively as possible following a service disruption. Contingency planning\nis unique to each system, providing preventive measures, recovery strategies, and\ntechnical considerations appropriate to the system\xe2\x80\x99s information confidentiality, integrity,\nand availability requirements and the system impact level.\n\nOrganizations are required to adequately mitigate the risk arising from the use of\ninformation and information systems in the execution of mission and business processes.\nContingency strategies are created to mitigate the risks for the contingency planning\nfamily of controls and cover the full range of backup, recovery, contingency planning,\ntesting, and ongoing maintenance. National Institute of Standards and Technology\n(NIST) Special Publication (SP) 800-53, Revision 4, \xe2\x80\x9cSecurity and Privacy Controls for\nFederal Information Systems and Organizations,\xe2\x80\x9d April 2013, contains the baseline set of\ncontrols that protect the confidentiality, integrity, and availability of a system and its\ninformation. Within SP 800-53, Contingency Planning Control 9 (CP-9) requires\norganizations to conduct backups of user-level and system-level data and to protect the\nconfidentiality, integrity, and availability of backup information at the storage location.\n\nInformation system backups at NARA are managed by contractors. The NARA IT and\nTelecommunications Support Services (NITTSS) contractor is responsible for multiple\nsystems running Novell SUSE Linux Enterprise Server (SLES), Microsoft Windows,\nUNIX, and Novell Netware. NARA Network (NARANet) systems data are backed up on\na varied rotation of full and incremental backups which is not identical for all systems.\nThe backup method, retention and destination of data backups are also different for each\nsystem. For example, Novell file and print servers are backed up at NARA\xe2\x80\x99s College\nPark, MD facility (AII) and replicated to NARA\xe2\x80\x99s facility at the Allegany Ballistic\nLaboratory (ABL), then transferred to tape. Novell Groupwise backups are replicated to\nABL then to tape. Windows and UNIX servers are backed up using an Enterprise backup\nsystem at AII or locally attached media drives.\n\nThis audit also included a review of two systems, the Electronic Records Archives (ERA)\nand the Case Management and Reporting System (CMRS). The purpose of ERA is to\npreserve and manage NARA\xe2\x80\x99s electronic records and manage the lifecycle of paper\n\n                                         Page 4\n                      National Archives and Records Administration\n\x0c                                                               OIG Audit Report No. 13-09\n\n\nrecords and other holdings, including supporting records retention schedules and the\naccessioning process for all Federal records. In September 2011, NARA awarded an\nOperations and Maintenance contract for continued support of ERA. According to the\ncontract Performance Work Statement (PWS), the contractor is required to perform\nbackup of ERA systems and devices with the intent of having recoverable systems, data\nand services. Server backups were to include daily server file system backups, and the\ncontractor is required to verify successful completion of all backups.\n\nCMRS automates the end-to-end case processing for military records. CMRS assists in\nlocating the record, assigning requests to staff, preparing the response to the customers,\nelectronically referring requests to other offices, and advising the customer of the status\nof their request. The users of CMRS are entirely dependent upon the system to do their\nwork. In September 2012, NARA issued a one year contract for the operations and\nmaintenance of the NARA Integrated Siebel Platform (NISP) which covers several\nNARA systems, including CMRS. According to the contract, the contractor was to\nperform daily incremental backups and weekly full backups of the NISP database and\nsystem servers.\n\nNITTSS, ERA, and CMRS contractors used NetBackup software to manage the system\nbackups. NetBackup allows periodic or calendar-based schedules to perform automatic,\nunattended backups for clients across a network. The backups can be full or incremental.\nFull backups back up all client files. Incremental backups back up only the files that\nhave changed since the last backup.\n\n\n\n\n                                         Page 5\n                      National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 13-09\n\n\nObjectives, Scope, Methodology\n\nThe purpose of this audit was to determine whether NARA had a systematic,\naccountable, and documented process for restoring original data after a data loss event.\nSpecifically, we reviewed whether NARA had documented plans and procedures for\nbacking up data; whether successful backups were accomplished on a regular basis;\nwhether backups were tested to verify media reliability and information integrity; and\nwhether backup copies of the operating system and other critical information system\nsoftware were stored in a separate facility or in a fire-rated container which was not\ncollocated with the operational software.\n\nTo accomplish our objective, we reviewed NARA\xe2\x80\x99s IT Security Policies and IT Security\nRequirements as well as National Institute of Standards and Technology (NIST) Special\nPublications (SP) 800-53, Revision 3 \xe2\x80\x9cRecommended Security Controls for Federal\nInformation Systems and Organizations,\xe2\x80\x9d May 2010, 800-53, Revision 4 \xe2\x80\x9cSecurity and\nPrivacy Controls for Federal Information Systems and Organizations,\xe2\x80\x9d April 2013, and\n800-34, Revision 1, \xe2\x80\x9cContingency Planning Guide for Federal Information Systems,\xe2\x80\x9d\nMay 2010. We obtained and reviewed backup and recovery procedures from NITTSS\nand the ERA contractors. We were unable to review any backup procedures for CMRS\nbecause at the time of our audit, procedures did not exist.\n\nWe interviewed NARA IT Operations personnel as well as the contractors responsible for\nconducting data backups for selected NARA systems, including NARA\xe2\x80\x99s NITTSS\ncontractor which included backups of email servers, Novell file servers, and other\napplication and support servers residing on NARANet. We also reviewed backups for\ntwo systems: the Electronic Records Archives (ERA) and the Case Management and\nReporting System (CMRS).\n\nWe reviewed backup schedules for selected servers and compared the schedule with the\nbackup system job history log files for incremental and full backups. For backup media\nstored offsite, we reviewed whether backup files were created and rotated offsite as\nprescribed. We reviewed the security controls in place to protect backups at the storage\nlocations. For backups stored on tapes, we reviewed the inventory and tape log\ninformation at the storage locations and reviewed the process to destroy backup tapes\nwhen no longer needed. We conducted a site visit at the Iron Mountain offsite storage\nlocation for backup tapes and compared the contents of each NARA container stored in\nthe vault to NARA\xe2\x80\x99s records.\n\n\n                                        Page 6\n                     National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 13-09\n\n\nOur audit work was performed at Archives II in College Park, Maryland, Allegany\nBallistics Laboratory in Rocket Center, West Virginia, and the Iron Mountain storage\nfacility in Columbia, Maryland between October 2012 1 and May 2013. We conducted\nthis performance audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n\n\n\n1\n This audit was originally announced in May 2011 but was put on hold due to staffing constraints and\ncompeting priorities. In October 2012, the audit was re-announced with the same audit objective.\n                                            Page 7\n                         National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 13-09\n\n\nAudit Results\n\n1. Controls Over Data Backups.\nOverall, with the exception of the ERA, successful backups were accomplished on a\nregular basis for the systems reviewed. A full backup for one instance of the ERA\nsystem has not been accomplished since May 2011. In addition, security control\nweaknesses existed within NARA\xe2\x80\x99s data backup operations which jeopardize NARA\xe2\x80\x99s\nability to sufficiently protect the confidentiality, integrity, and availability of data\nbackups. For example:\n   \xe2\x80\xa2\t   backup tapes containing sensitive PII were not encrypted to protect the\n\n        confidentiality of the information while stored offsite;\n\n   \xe2\x80\xa2\t   a method or process to verify the integrity of the backups was not in place;\n   \xe2\x80\xa2\t   backups were not regularly tested to ensure data could be recovered in usable\n        form;\n   \xe2\x80\xa2\t   backup media was not rotated offsite as prescribed; and\n   \xe2\x80\xa2\t   one offsite storage location for backup tapes was not geographically removed\n        from the primary site which may create accessibility problems in the event of an\n        area-wide disaster.\nThis occurred because NARA did not fully implement the contingency planning control\nrelated to information system backup, which is designed to provide a means to recover\ndata needed to restore system operations quickly and effectively following a service\ndisruption. In addition, plans and procedures for data backup and recovery operations did\nnot exist for one system we reviewed. Without information system backup controls to\nprotect data backups, there is an increased risk recovery operations could be delayed or\ninformation could be lost.\n\nAccording to NIST SP 800-34, data backups are done primarily for recovery purposes,\nand should be conducted on all systems on a regular basis. At NARA, support\ncontractors manage system backups. We reviewed the backup operations performed by\nNARA\xe2\x80\x99s Operations Support contractor, NITTSS, which includes NARANet Novell,\nWindows, and UNIX servers. In addition, we also reviewed backup operations\nperformed for ERA and CMRS, which are maintained by different support contractors.\n\nWe reviewed a sample of backups conducted by the three different support contractors\nand found that overall, system backups were accomplished on a regular basis. Two\nexceptions occurred for backups of ERA. Backups for the Executive Office of the\n\n\n                                        Page 8\n                     National Archives and Records Administration\n\x0c                                                                         OIG Audit Report No. 13-09\n\n\nPresident (EOP) instance 2 of ERA are scheduled to be run once every eight weeks.\nHowever, the last successful backup for the EOP ERA instance occurred in May 2011. 3\nAlthough data is static within the system, there have been several data spillage 4 incidents\nsince the last backup was run which would delay restoration efforts. In addition, the EOP\noperating system has been upgraded twice since the last set of backups which would\nfurther delay restoration efforts. Although an exact amount of time is not known, one\nofficial estimated it could take six months to restore the EOP system from the May 2011\nset of backup tapes. This amount of time to restore a backup may not be acceptable to\nrespond to all special access requests, subpoenas made pursuant to the Presidential\nRecords Act by investigative bodies or other requesting parties for documents or\ninformation.\n\nAccording to one ERA official, the decision was made not to create a backup of the\nsystem until equipment upgrades and data migration were completed. Specifically, new\nequipment was installed and data in the current EOP instance will be migrated to the new\nequipment. Transfer of the data will most likely take several months. Once the transfer\nis complete, the old equipment will be decommissioned. The ERA official stated a\nbackup was not made before starting the transfer because backup tapes made with the\ncurrent system would not be readable on the new equipment.\n\nWe identified another exception for backups of the ERA Base instance, which contains\npermanent electronic Federal records. ERA backups take point-in-time images\n(snapshots) of the data being backed up at scheduled intervals throughout the day. The\nsnapshot image of the data at midnight is written to tape and transferred offsite the next\nday. However, for approximately two weeks, the ERA Base instance did not have a\nsuccessful backup. System administrators were alerted to problems with backups of the\nERA Base system in November 2012 and a work around was used to continue to generate\noffsite tapes. In January 2013, the tape library was upgraded and backups would not run\nproperly. After two weeks of trouble shooting different hardware and backup software\nconfigurations, backups resumed but ERA officials are continuing to experience\nproblems related to the encryption of the backups. As of May 2013, ERA officials have\nnot been able to encrypt backups and therefore, backup tapes are not being rotated offsite\neach day. Instead, according to an ERA official, ERA backups are sent by secure courier\nabout once a month. Until sent offsite, the backup tapes are stored in the data center and\n\n2\n  ERA is composed of several \xe2\x80\x9cinstances\xe2\x80\x9d which each focus on a set of records or ERA function. The EOP\n\ninstance contains the electronic records from the George W. Bush Administration.\n\n3\n  According to the ERA Operations manager, EOP backups were not completed because the system was in\n\nthe process of being upgraded. \n\n4\n  A data spill is a security incident that results in the transfer of classified or sensitive information to\n\nunaccredited and unauthorized information systems, applications or media. In order to restore the entire \n\nEOP instance from backup, each of the files containing classified information would have to be identified,\n\nand deleted, from the May 2011 set of backup tapes.\n\n                                             Page 9\n                          National Archives and Records Administration\n\x0c                                                                        OIG Audit Report No. 13-09\n\n\nalthough there are fire-rated containers onsite, the containers are not large enough to hold\nthe backup tapes for the Base instance.\n\nConfidentiality of Backup Data\n\nData confidentiality involves protecting data both onsite and offsite from unauthorized\naccess or use. Maintaining the security of system data and software is a key component\nin contingency planning. Encryption is a common method for securing stored system\ndata. Encryption is most effective when applied to both the primary data storage device\nand on backup media going to an offsite location.\n\nCMRS is a web based application which enables the request and fulfillment of military\nservice information, such as personnel records and medical case files pertaining to 20th\xc2\xad\ncentury military veterans. Information stored within CMRS includes the veteran\xe2\x80\x99s name,\nsocial security number, and date of birth; therefore it is identified as having a high\nconfidentiality level. Unencrypted backup tapes containing this sensitive information\nwere routinely sent to NARA\xe2\x80\x99s offsite storage vendor, Iron Mountain. The tapes were\nstored in locked containers and the offsite facility had physical security controls in place\nto restrict access to the vault where the tapes are stored. However, during the site visit to\nIron Mountain, it was discovered Iron Mountain personnel had copies of the keys to\nunlock NARA\xe2\x80\x99s containers.\n\nOffice of Management and Budget Memorandum 06-16, \xe2\x80\x9cProtection of Sensitive Agency\nInformation,\xe2\x80\x9d June 23, 2006, included specific actions agencies were to take to properly\nsafeguard PII when physically transported outside the agency\xe2\x80\x99s secured, physical\nperimeter. For example, in those instances where PII is transported to a remote site or\nstored at a remote site, agencies were to implement NIST SP 800-53 security controls\nensuring information is transported or stored only in encrypted form. NARA 1608,\n\xe2\x80\x9cProtection of Personally Identifiable Information,\xe2\x80\x9d August 6, 2009, also requires PII\ndata transported on removable media to be encrypted unless encryption will impact the\nintegrity of the data. In those instances, appropriate access controls, strong authentication\nprocedures, or other security controls commensurate with the sensitivity of the PII data\nmust be used.\n\nIn February 2013, NARA officials responded to a potential PII concern regarding backup\nmedia at one of NARA\xe2\x80\x99s St. Louis facilities. Three boxes of backup tapes, CDs, floppy\ndiscs, a Compact Flash card, and related material were abandoned for about a month on\nthe loading dock at the St. Louis facility 5. The backup media included CMRS backups\n\n5\n According to NARA officials, the date of this incident closely corresponds to the period during which St.\nLouis NITTSS staff were completing their final pack up of IT and communication hardware at the old Page\nAve facility.\n                                            Page 10\n                         National Archives and Records Administration\n\x0c                                                                         OIG Audit Report No. 13-09\n\n\nwhich contain sensitive PII about veterans. Even though data stored on the backup media\nis not manually readable, compatible tape backup hardware and software are still\ngenerally available and could be attached to a server or workstation if an individual was\nintent on reading the tape cartridges. NARA officials determined information was not\ncompromised in this instance since the loading dock is a secure area. However, if NARA\nencrypted the backup tapes, the probability of unauthorized disclosure of PII would be\nreduced in the event tapes were lost or stolen.\n\nThe Terms and Conditions listed in the Performance Work Statement for the CMRS\nsupport contract state removable media, such as hard drives, flash drives, devices with\nflash memory, CDs and floppy disks containing sensitive PII shall not be removed from a\nGovernment facility unless they are encrypted using a NIST FIPS 140-2 or successor\napproved product. According to the CMRS contractor responsible for backups, it would\nnot be possible to encrypt the backups because encryption would significantly increase\nthe processing times needed to run backups. The CIO should determine whether\nhardware or software encryption can be used to protect CMRS backup tapes that are\ncurrently transported and stored offsite or devise another method of protecting the data\nthat provides a similar level or security.\n\nIntegrity of Backup Data\n\nIt is important to ensure the data backup copies have the same content as the original data\nfile. One way to check the integrity of the backup data is to calculate a checksum 6 for\nboth the original and the backup copy and then compare. Another way to check the\nintegrity of the backup file is to periodically retrieve the backup file, open it on a separate\nsystem, and compare the backup copy to the original file.\n\nAccording to NIST SP 800-34, backup tapes should be tested regularly to ensure data is\nbeing stored correctly and files may be retrieved without errors or lost data. Also, backup\ntapes should be tested at the alternate site, if applicable, to ensure the site supports the\nsame backup configuration the organization has implemented. NARA does not regularly\nperform tests to restore files stored on backup tapes. None of the three contractors\nsupporting NARA systems regularly tested backup tapes by trying to restore data. Two\ncontractors provided examples of file restores they had performed however, it was not\ndone on a regular basis and did not involve restoring data from backup tapes.\n\nThe NITTSS contract requires the contractor ensure, and demonstrate at NARA\xe2\x80\x99s\nrequest, that NARA IT systems are recoverable from backup tapes. NITTSS periodically\n\n6\n A checksum is a small-size datum computed from an arbitrary block of digital data for the purpose of\ndetecting errors that may have been introduced during its transmission or storage. The integrity of the data\ncan be checked at any later time by recomputing the checksum and comparing it with the stored one. If the\nchecksums match, the data was likely not accidentally altered.\n                                             Page 11\n                          National Archives and Records Administration\n\x0c                                                                            OIG Audit Report No. 13-09\n\n\nperformed file restores based on user requests. However, NARA cannot rely on this\nprocess to ensure all system are recoverable from backup tapes since there is no\nguarantee all systems would be tested. According to the IT Operations manager, she is\nconfident with the backup operations for Novell Groupwise because of all the restores\nthey have performed at user\xe2\x80\x99s requests. However, for minor application systems she did\nnot have the same confidence level since those system backups may not be tested or\nvalidated to ensure the backup was successful.\n\nThe ERA contract requires the contractor, on a scheduled basis, to have tested processes\nand procedures for the recovery and reconstitution of ERA systems and services to the\nstate prior to the disruption or failure. According to an ERA System Administrator, he\nwas able to restore files using the Backup, Archives, and Restore functionality within the\nbackup software. The System Administrator stated there was not a process in place to\nperiodically test backups on a regular basis. He estimated the last data restore he\nperformed was for an audit last year.\n\nThe CMRS contract does not include a requirement for periodic testing of backup data.\nAccording to the contractor, he performed file restores for two other systems he\nmaintains at NARA but has not had to perform any real-time data restores for CMRS.\nAccording to the CMRS contractor, he tested the recovery of files every three months.\nDocumentation from the last restore in December 2012 consisted of an email from the\nbackup software stating the restore of a file onto a client directory had succeeded. The\ncontractor noted this testing was not required, but he would perform the tests to ensure\nthe backups were able to be restored.\n\nFor high impact systems 7 such as CMRS 8 and ERA, the annual contingency plan test\nshould include the use of a sample of backup information in the restoration of selected\ninformation systems. Annual contingency plan testing at NARA did not include a test to\nrestore files from backups. A test of the contingency plan was not conducted for CMRS\nduring FY 2012 and the ERA contingency plan test involved only tabletop exercises.\n\nThe results of the ERA contingency plan test identified areas for improvement in ERA\xe2\x80\x99s\nability to respond to an incident. For example, the summary of the test results identified\nthe lack of formalized Backup and Recovery testing and that currently there is no process\nor method to verify NetApp snapshot backups are working. One recommendation made\n\n7\n  FIPS Publication 199 defines three levels of potential impact (low, medium, and high) on organizations or\nindividuals should there be a loss of confidentiality, integrity, or availability. The potential impact is\nconsidered High if the loss of confidentiality, integrity, or availability could be expected to have a severe or\ncatastrophic adverse effect on organizational operations, organizational assets, or individuals.\n8\n  The CMRS Contingency Plan dated December 27, 2012 categorizes the system as a High impact for\nconfidentiality, integrity, and availability but the CMRS System Security Plan, dated July 23, 2012,\ncategorizes the system as Moderate impact.\n                                             Page 12\n                          National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 13-09\n\n\nin the test results was for subsequent exercises to focus on the restoration of systems.\nNARA should regularly test data backups to ensure the information being backed up is\nstored correctly and can be retrieved if needed.\n\nAvailability of Backup Data\n\nMaintaining the availability of backup data is important to ensure access to the backup\ninformation if needed. One way to protect the availability of backup data is to store the\nbackup copy offsite to prevent a disaster from destroying the original file and the backup\nfile. As shown in Table 1. below, NARA maintains three offsite storage locations.\n\n                   Table 1. Offsite Storage Locations for Data Backups\n\n       Offsite Storage Locations   Backup Media              Systems/Servers\n       Iron Mountain,              LTO Tapes, DLT Tapes,     NITTSS Enterprise\n       Columbia, MD                Compact Flash Cards       backups, CMRS\n                                                             backups, and other\n                                                             systems with locally\n                                                             attached tape drives\n\n       Allegany Ballistics         Mirrored/Replicated to    Novell file and print,\n       Laboratory, Rocket          NetApp and then to tape   Novell Groupwise\n       Center, WV\n       Archives II,                LTO Tapes                 ERA\n       College Park, MD\n\nThe NITTSS Tape Administrator was responsible for rotating backup media offsite to\nIron Mountain each week. The schedule with Iron Mountain was for pickup and delivery\nof tapes to occur on Wednesdays. The NITTSS procedure specifies full backups are\nstored onsite for one week and then sent offsite for eight weeks. The Tape Administrator\nmaintained a tape log documenting the backup tapes sent offsite, the date they were sent\noffsite, and their return date. However, when we compared the NITTSS tape logs to the\nIron Mountain records; we found that while media was consistently returned by Iron\nMountain each Wednesday, media was not actually being sent to Iron Mountain each\nweek. Instead, during calendar year 2012, media was rotated offsite about once a month.\nTherefore, NARA systems were at risk of losing up to four weeks of data if a disaster had\nimpacted the AII datacenter destroying the original system data and the backup tapes.\nFor some systems, such as CMRS, losing four weeks of data would be extremely\ndisruptive to the operations at the National Personnel Records Center and to military\nveterans who had submitted record requests during that time. Table 2. shows the dates\nbackups were transferred to Iron Mountain during 2012.\n\n\n\n                                         Page 13\n                      National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 13-09\n\n\n\n               Table 2. Number of Containers Sent to Iron Mountain \n\n                              Each Week in 2012\n\n\n                              Number of                       Number of\n                    Date      Containers            Date      Containers\n                   1/4/12       None               7/4/12       None\n                  1/11/12       None              7/11/12       None\n                  1/18/12         5               7/18/12       None\n                  1/25/12       None              7/25/12       None\n                   2/1/12       None               8/1/12         5\n                   2/8/12       None               8/8/12       None\n                  2/15/12         4               8/15/12       None\n                  2/22/12       None              8/22/12       None\n                  2/29/12       None              8/29/12         2\n                   3/7/12       None               9/5/12         2\n                  3/14/12         5               9/12/12       None\n                  3/21/12       None              9/19/12       None\n                  3/28/12       None              9/26/12       None\n                   4/4/12       None              10/3/12         4\n                  4/11/12         4              10/10/12       None\n                  4/18/12       None             10/17/12         5\n                  4/25/12       None             10/24/12       None\n                   5/2/12       None             10/31/12       None\n                   5/9/12         4               11/7/12       None\n                  5/16/12       None             11/14/12       None\n                  5/23/12       None             11/21/12         4\n                  5/30/12       None             11/28/12       None\n                   6/6/12         4               12/5/12       None\n                  6/13/12       None             12/12/12         4\n                  6/20/12       None             12/19/12       None\n                  6/27/12         4              12/26/12       None\n\n\nAccording to the Tape Administrator, tapes did not always get to him in time to be\nincluded in the weekly shipment so he would delay sending that week\xe2\x80\x99s container offsite\nuntil he received the backup tapes scheduled to be in the shipment. However, we noted\nthat even when containers were not sent offsite for several weeks, those containers did\nnot include backup tapes for every system. The NARA Technical Monitor responsible\nfor overseeing this area of the NITTSS contract was not aware backup tapes were not\nbeing sent offsite each week. Additional oversight processes should be implemented to\nensure backups are sent offsite each week as scheduled.\n\nThe OIG and the NITTSS Technical Monitor visited the Iron Mountain offsite storage\nlocation in January 2013 to review the contents of each container currently stored there\nand compare the contents of the containers with the Tape Administrator\xe2\x80\x99s tape log. Of\n\n                                        Page 14\n                     National Archives and Records Administration\n\x0c                                                                          OIG Audit Report No. 13-09\n\n\nthe seven containers 9 we reviewed, four of the containers matched the Tape\nAdministrator\xe2\x80\x99s log. The remaining three containers either had tapes included in the\ncontainer not recorded on the log or the container did not include all the tapes shown on\nthe log. As shown in Table 3 below, none of the seven containers included a complete\nset of backup tapes.\n\n           Table 3. Inventory of Offsite Storage Containers at Iron Mountain\n\n         System:             28-Nov 5-Dec 12-Dec 19-Dec 26-Dec 2-Jan 9-Jan\n         OFAS                   2     2     2       -      -     -     -\n         CMTS                   -      -     -      -      1     -     -\n         VISTA                  -      -     -      -      1     -     -\n         RCPBS                  2     4      -      -      -     2     2\n         APS                    1     1     1       -      1     -     -\n         AERIC                  1      -     -      -      1     -     1\n         A1-PBX                 1     1     1       1      -     1     1\n         A2-PBX                 1     1     1       1      -     -     1\n         VAULT                  -     5     4       6      4     -     -\n         NISP                   6     7     6       8      6     3     5\n         Total Sent Offsite:   14     21    15     16     14     6    10\n\nWe contacted the Order Fulfillment and Accounting System (OFAS) Project Manager to\nask why backup tapes were not included in the offsite containers between December 19,\n2012 and January 9, 2013. According to the Project Manager, the system is managed by\ntheir own contractor who backs up the tapes locally. The Project Manager stated backup\ntapes were not sent offsite during that time period because the system had exceeded the\nstorage limit for the backup tapes and more backup tapes had to be ordered. The system\nwas being backed up onto two backup tapes. However, the system exceeded the storage\nlimit on those two tapes and a third tape was needed for each backup. Additional tapes\nwere ordered but backups could not resume until those tapes were received and placed\ninto the rotation.\n\nThe process of providing tapes to the Tape Administrator should be improved to prevent\nlost or misplaced tapes. We found inconsistencies between the CMRS contractors tape\nlog used to record backup tapes given to the Tape Administrator each week for offsite\nstorage and the Tape Administrator\xe2\x80\x99s log. According to the CMRS contractor, the\nprocess for transferring tapes offsite was to place the backup tapes on the Tape\nAdministrator\xe2\x80\x99s desk. During this process, the contractor stated that many times when\ndropping off the weekly tapes, the tapes from the previous week\xe2\x80\x99s backup were still on\n\n9\n  There were only seven containers at Iron Mountain the date of the site visit because our visit occurred on\na Wednesday therefore one of NARA\xe2\x80\x99s containers was already out for delivery back to NARA.\n                                             Page 15\n                          National Archives and Records Administration\n\x0c                                                               OIG Audit Report No. 13-09\n\n\nthe Tape Administrator\xe2\x80\x99s desk. Because the containers were not rotated offsite each\nweek, tapes may have been mixed up or placed into the wrong containers. The NITTSS\nTechnical Monitor agreed additional oversight was needed over the process of sending\ntapes offsite. NARA should ensure an accurate log or record of tapes going offsite is\nmaintained so the correct container can be recalled if needed.\n\nOffsite Storage Location\n\nAccording to NIST SP 800-34, it is good business practice to store backup data offsite.\nCommercial data storage facilities are specially designed to archive media and protect\ndata from threatening elements. When selecting an offsite storage facility and vendor,\none of the criteria to be considered is the distance from the organization and the\nprobability of the storage site being affected by the same disaster as the organization\xe2\x80\x99s\nprimary site.\n\nOne of NARA\xe2\x80\x99s offsite locations for backup tapes is in Columbia, Maryland. This is the\noffsite storage location for systems and servers located in the Archives II datacenter\nwhich is approximately 15 miles from Columbia. Due to its close proximity, the offsite\nfacility could be affected by the same area-wide disasters such as hurricane, tornado, or\nother severe weather. Although the offsite facility has environmental controls in place to\nprotect the backup tapes, access to the facility may not be possible to retrieve the backup\ntapes. We attempted to find out why the Columbia facility was chosen as the location for\noffsite backup tapes but the decision appears to have been made over 10 years ago and\nseveral individuals we asked did not know the rationale behind the decision. NARA\nshould evaluate the risks involved with storing backup tapes in the same geographic area\nas NARA\xe2\x80\x99s main data center. One option for NARA to consider is whether backup tapes\ncould be stored at ABL, which is the NARA Continuity of Operations (COOP) site, or at\na storage facility closer to the COOP site.\n\nInformation System Backup Control\n\nNARA did not fully implement the NIST SP 800-53 control for information system\nbackups. Specifically, NARA did not have controls in place to protect the\nconfidentiality, integrity, and availability of backup information and did not regularly test\nbackup information to verify media reliability and information integrity. Although\nNARA\xe2\x80\x99s IT Security Requirements include this control, it was not being enforced. In\naddition, NARA did not have mechanisms in place to ensure this control was working.\n\nOrganizations are required to adequately mitigate the risk arising from the use of\ninformation and information systems in the execution of mission and business processes.\nContingency strategies are created to mitigate the risks for the contingency planning\nfamily of controls and cover the full range of backup, recovery, contingency planning,\n                                          Page 16\n                      National Archives and Records Administration\n\x0c                                                                            OIG Audit Report No. 13-09\n\n\ntesting, and ongoing maintenance. NIST SP 800-53 Contingency Planning Control CP-9\nInformation System Backup requires organizations to conduct backups of user-level and\nsystem-level data and to protect the confidentiality, integrity, and availability10 of backup\ninformation at the storage location.\n\nThe supplemental guidance for control CP-9 clarifies system-level information includes,\nfor example, system-state information, operating system and application software, and\nlicenses. Digital signatures 11 and cryptographic hashes 12 are examples of mechanisms\nthat can be employed by organizations to protect the integrity of information system\nbackups. An organization assessment of risk guides the use of encryption for protecting\nbackup information.\n\nNIST SP 800-53 also includes control enhancements for moderate and high baseline\nsystems. For example, those systems categorized as moderate and high-impact level are\nrequired to test backup information at an organization-defined frequency to verify media\nreliability and information integrity. Systems categorized as high-impact level also must:\n     \xe2\x80\xa2\t use a sample of backup information in the restoration of selected information\n        system functions as part of contingency plan testing;\n     \xe2\x80\xa2\t store backup copies of the operating system and other critical information system\n        software in a separate facility or in a fire-rated container that is not collocated\n        with the operational system; and\n     \xe2\x80\xa2\t transfer information system backup information to the alternate storage site at\n        organization-defined time period and transfer rate. 13\nAdditional controls that can be implemented, but are not required, include: the\norganization accomplishes information system backup by maintaining a redundant\nsecondary system, not collocated, that can be activated without loss of information or\ndisruption to the operation; and the organization enforces dual authorization for the\ndeletion or destruction of organization-defined backup information.\n\n\n\n\n10\n   NIST SP 800-53, Revision 4, issued April 2013, included a change to the CP-9.d control. Specifically,\n\nCP-9.d was revised to require that organizations protect the availability of backup information at storage\n\nlocations in addition to the confidentiality and integrity.\n\n11\n   A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message or\n\ndocument. A valid digital signature gives a recipient reason to believe the message was not altered in\n\ntransit.\n\n12\n   A cryptographic hash function is an algorithm that takes an arbitrary block of data and returns a fixed-\n\nsize bit string, the cryptographic hash value, such that any accidental or intentional change to the data will \n\n(with very high probability) change the hash value.\n\n13\n   This is a new requirement for high-impact systems based on NIST SP 800-53, Revision 4.\n\n                                             Page 17\n                          National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 13-09\n\n\nData Backup and Recovery Procedures\n\nAccording to GAO, there are a number of steps an entity should take to prevent or\nminimize the damage to automated operations occurring from unexpected events.\nImplementing thorough backup procedures is generally an inexpensive way to prevent\nrelatively minor problems from becoming costly disasters. We reviewed the data backup\nand recovery procedures provided by NITTSS for the systems they manage, and by the\nERA support contractor. These procedures included roles and responsibilities, the\nfrequency and scope of the backups and where the backups will be stored.\n\nWe were unable to review backup and recovery procedures for CMRS because the\ncontractor was in the process of drafting the data backup procedures based on the\nredesign of the system. The CMRS Technical Monitor provided a copy of the CMRS\nContingency Plan which she believed gave an overview of the CMRS backup function.\nAlthough the Contingency Plan did have an overview, it did not specify responsibility for\nthe backups or the minimum frequency and scope of the backups. Without thorough\nbackup and recovery procedures, NARA does not have a documented process for\nrestoring CMRS data after a data loss event.\n\nConclusion\n\nInformation systems are vital elements in most mission/business processes. Because\ninformation system resources are so essential to an organization\xe2\x80\x99s success, it is critical\nthat identified services provided by these systems are able to operate effectively without\nexcessive interruption. Contingency Planning supports this requirement by establishing\nthorough plans, procedures, and technical measures that can enable a system to be\nrecovered as quickly and effectively as possible following a service disruption. The\nadequate protection of the confidentiality, integrity, and availability of the backups is\nimportant to ensure NARA information is not at risk of unauthorized disclosure and data\nis able to be recovered in usable form if needed.\n\nRecommendations\n\n1. The CIO should create a full backup of the EOP instance of ERA as soon as the\nupgrade and data migration is complete.\n\n2. The CIO should encrypt backup tapes containing sensitive PII or devise another\nmethod of protecting the data that provides a similar level of security.\n\n3. The CIO should include the restoration of files from backups as part of the annual\ncontingency plan testing for at least high impact systems such as ERA and CMRS.\n\n                                        Page 18\n                     National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 13-09\n\n\n4. The CIO should develop a process to regularly test data backups to verify information\nintegrity.\n\n5. The CIO should develop increased oversight procedures for the process of sending\nbackup media offsite to ensure media is rotated offsite as prescribed.\n\n6. The CIO should evaluate the risks associated with storing backup tapes within the\nsame geographic area as AII and determine whether the current strategy is sufficient.\n\n7. The CIO should create or update Backup and Recovery Plans and Procedures for the\nCase Management and Reporting System.\n\nManagement Response\n\nManagement concurred with the recommendations.\n\n\n\n2. Opportunities Exist to Reduce the Cost of Offsite Storage.\nThe audit identified cost savings related to excess Iron Mountain storage containers in\nNARA\xe2\x80\x99s possession. NARA has 90 Iron Mountain containers but only 17 of the\ncontainers have been used in the last year, with some containers having not been used in\nover seven years. This occurred because NARA\xe2\x80\x99s requirements for offsite storage\nchanged but excess containers were not returned. In addition, the monthly invoices were\npaid with the government credit card without a sufficient review. As a result, NARA has\nspent about $31,900 over the last seven years that could have been put to better use.\n\nIron Mountain monthly invoices include two types of charges, transportation charges for\npickup and return of backup tapes and set fees for storage containers. According to the\ninvoices, NARA paid monthly charges for 90 storage containers. The Iron Mountain\nmonthly invoices are usually around $1,000 which includes on average $100 for\ntransportation charges and a recurring charge of $867 for the 90 containers (see Table 4).\n\n                Table 4. Monthly Cost for Iron Mountain Containers\n\n               Container Type         Quantity Unit Price Monthly Amount\n        DLT Container (capacity = 20)   51       $8.48            $432.48\n        DLT Container (capacity=10)      2        8.48              16.96\n        Cartridge 3480 (capacity=40)     2       10.47              20.94\n        IM Multi Media                  27        8.48             228.96\n        Pendaflex                        8       20.95             167.60\n        Total                                                     $866.94\n                                        Page 19\n                     National Archives and Records Administration\n\x0c                                                            OIG Audit Report No. 13-09\n\n\n\nWe found that of the 90 containers assigned to NARA, only 17 containers had been used\nin the last year. Some of the remaining containers had not been used in several years,\nincluding one container NARA received in 2005 that had never been stored at Iron\nMountain. According to NARA\xe2\x80\x99s Account Manager at Iron Mountain, the cost for the\ncontainer is the same whether the container is stored at Iron Mountain or at NARA. The\nAccount Manager stated if there are containers sitting at NARA not in use, Iron Mountain\ncan take them back. The Tape Administrator counted 48 containers located in the Tape\nStorage Room at Archives II. These containers had old backup tapes stored in them that\nwere waiting to be disposed of. The Tape Administrator and the NITTSS Technical\nMonitor were unsure of where the remaining storage containers were located. The\nNITTSS Technical Monitor stated additional containers may be stored out at NARA field\noffices.\n\nWe identified five containers stored at Iron Mountain with a permanent retention date. In\nreviewing the contents of three of the permanent hold containers it was unclear as to\nwhether these containers continued to require storage at Iron Mountain indefinitely. For\nexample, one container held only one backup tape labeled with the year 2003. Another\ncontainer held old server backups that may have been from 2004.\n\nNARA had excess Iron Mountain containers because NARA\xe2\x80\x99s requirements for offsite\nstorage changed in the last couple of years, but containers were not returned to Iron\nMountain. For example, in March 2010, NARA transferred 31 containers offsite, sending\nabout six containers offsite each week. Currently, NARA sends only four or five\ncontainers a month to Iron Mountain.\n\nThe review and approval process for payment of the Iron Mountain invoice did not\ninclude a review of the containers assigned to NARA\xe2\x80\x99s account. Iron Mountain invoices\nwere paid using the government credit card. The approval process for payment was to\ncreate a Form 5007 Requisition based on the invoice which was given to an IT\nOperations official to sign. According to the IT Operations official, as long as the\nmonthly charge remained consistent, she would approve the invoice for payment.\nHowever, if there were additional transportation charges for an unscheduled delivery she\nwould discuss the extra charge with the Tape Administrator to find out why it was needed\nbefore paying the invoice. This review was not sufficient to identify the unnecessary\ncosts NARA continues to pay for extra storage containers not in use.\n\nUsing the monthly fee for each of the storage containers and the number of months since\nthe container was last used, we calculated the approximate amount of funds put to better\n\n\n                                        Page 20\n                     National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 13-09\n\n\nuse as $31,900. If NARA returns the excess containers to Iron Mountain it could save\napproximately $708 each month, or $8,500 annually.\n\nRecommendations\n\n8. The CIO should review the current list of Iron Mountain containers assigned to NARA\nand return those containers that are no longer needed.\n\n9. The CIO should examine the contents of those containers marked as permanent and\ndetermine whether permanent storage is still required.\n\nManagement Response\n\nManagement concurred with the recommendations.\n\n\n\n3. \tPayment of Offsite Storage Costs Needs Further Review\nDuring FY 2012, NARA paid $12,178 for offsite storage of backup tapes. We identified\nthree issues with the payment of offsite storage costs:\n\n   1)\t the payment appears to be a split purchase;\n\n   2)\t costs incurred for services in one fiscal year were paid for using funds from the\n       following fiscal year; and\n\n   3)\t payment for offsite storage costs may have been improper.\n\nThese issues occurred because NARA paid for these services with a government credit\ncard instead of going through the procurement process and awarding a contract for offsite\nstorage. In addition, based on the language in the NITTSS Request for Quote (RFQ) it\ncould be reasonably interpreted that NITTSS was responsible for offsite storage costs.\nAs a result, NARA\xe2\x80\x99s procurement process as well as Federal laws and regulations may\nhave been violated. In addition, NARA has paid approximately $48,712 over the last\nfour years that could have been put to better use.\n\nAccording to NARA\xe2\x80\x99s Purchase Card Guide, split purchasing is the acquisition of a\nrequirement by dividing it into smaller components thereby avoiding the established FAR\nand NARA procurement procedures for the elevated dollar thresholds. The Purchase\nCard Guide defines two types of split purchases: breaking down a one-time requirement\n\n\n\n                                        Page 21\n                     National Archives and Records Administration\n\x0c                                                                         OIG Audit Report No. 13-09\n\n\nwith a value greater than the single purchase limit 14 so the acquisition can be made using\nthe purchase card; and using the purchase card to purchase a recurring requirement with a\nfiscal year value greater than the single purchase limit. The cost for offsite storage\nappears to meet the definition of a split purchase since the aggregate amount of this\nrecurring monthly requirement was $12,178 for FY 2012 which exceeded the single\npurchase limit.\n\nAlthough there are exceptions where this would be allowable, we were unable to find\ndocumentation that a contract was in place and an exception had been granted to allow\npayment of the contract to occur using the government credit card.\n\nAccording to 31 United States Code (USC) 1502(a), the balance of an appropriation or\nfund limited for obligation to a definite period is available only for payment of expenses\nproperly incurred during the period of availability or to complete contracts properly made\nwithin that period of availability. Further, the appropriation or fund is not available for\nexpenditure for a period beyond the period otherwise authorized by law.\n\nIron Mountain invoices bill for the current month\xe2\x80\x99s service and are due in full within 90\ndays of the invoice date. According to the credit card holder, she usually pays the bill in\nthe month it is due. For example, NARA received two invoices dated August 31, 2012\nfor costs incurred during August 2012. Although these costs were incurred during\nFY 2012, the amount appeared on the December 3, 2012 credit card statement.\nAccording to data from NARA\xe2\x80\x99s financial system, part of the cost for services rendered\nin August 2012 was paid for using FY 2013 appropriated funds 15. We identified six\nmonths in which services from one fiscal year were paid for with funds from a different\nfiscal year.\n\nThe RFQ for the NITTSS contract states that the contractor shall manage NARA\xe2\x80\x99s off-\nsite media storage. In addition, the RFQ states \xe2\x80\x9cthe contractor shall store all backup\nmedia off-site, track all backup media, create off-site storage records and logs, and\nprovide the records and logs to the government.\xe2\x80\x9d Based on this language, it could be\nreasonably interpreted that the NITTSS contractor was responsible for the cost of storing\nbackup tapes offsite. In FY 2012, NARA paid $12,178 for offsite storage costs. The\nNITTSS contractor began their work at NARA on April 1, 2009, therefore, NITTSS may\nhave been responsible for offsite storage costs for the last four years. Using the cost paid\nin FY 2012 as an estimate, we calculated the approximate amount of funds put to better\nuse as $48,712 over the last four years.\n\n14\n   The single purchase limit (also known as the micro-purchase limit) is a dollar amount of the procurement\n\nauthority delegated to the cardholder. The single purchase limit is $3,000.\n\n15\n   The costs for offsite storage are split between two different funds. For most of the months we reviewed,\n\n67% of the cost was paid for with appropriated funds and 33% was paid for with revolving funds.\n\n                                            Page 22\n                         National Archives and Records Administration\n\x0c                                                          OIG Audit Report No. 13-09\n\n\nRecommendations\n\n10. The CIO, the Director of Acquisition Services, and NARA\xe2\x80\x99s Office of General\nCounsel should review purchases made for offsite storage costs to determine whether\nNARA\xe2\x80\x99s procurement process and Federal appropriations laws were violated and if so,\ntake appropriate corrective action.\n\n11. The CIO, the Director of Acquisition Services, and NARA\xe2\x80\x99s Office of General\nCounsel should review language in the NITTSS contract and determine whether\npayments NARA made for offsite storage were proper, and what, if any, remedies are\navailable.\n\nManagement Response\n\nManagement concurred with the recommendations.\n\n\n\n\n                                       Page 23\n                    National Archives and Records Administration\n\x0c                                                       OIG Audit Report No. 13-09\n\n\nAppendix A \xe2\x80\x93 Acronyms and Abbreviations\n\nABL       Allegany Ballistics Laboratory\nAII       Archives II\nCIO       Chief Information Officer\nCMRS      Case Management and Reporting System\nCOOP      Continuity of Operations Plan\nEOP       Executive Office of the President\nERA       Electronic Records Archives\nGAO       Government Accountability Office\nIT        Information Technology\nLTO       Linear Tape-Open\nNARA      National Archives and Records Administration\nNARANet   NARA Network\nNISP      NARA Integrated Siebel Platform\nNIST SP   National Institute of Standards and Technology Special Publication\nNITTSS    NARA Information Technology and Telephone Support Services\nOFAS      Order Fulfillment and Accounting System\nPII       Personally Identifiable Information\nPWS       Performance Work Statement\nRFQ       Request for Quote\nSLES      SUSE Linux Enterprise Server\nUSC       United States Code\n\n\n\n\n                                   Page 24\n                National Archives and Records Administration\n\x0c                                                                                      OIG Audit Report No. 13-09 \n\n\n\nAppendix B - Management\xe2\x80\x99s Response to the Report\n\n\n\n\n\n       NATIONAL\n      ARCHIVES\n\n\n                                      JUN 27 2m3\n          Date:\n          To:                     James Springs, Acting Inspector General\n          From:                   David S. Ferriero, Archivist of the United States\n          Subject:                OIG Revised Draft Audit 13-09, Audit of NARA's Data Backup Operations\n\n\n     Thank you for the opportunity to provide comments on this draft report. We appreciate\n     your willingness to meet and clarify language in the report.\n\n     We concur with the eleven recommendations in this audit.\n\n     If you have any questions or need additional information on these comments, please\n     contact Mary Drak by phone at 301-837-1668 or via email at mary.drak@nara.gov.\n\n\n\n\n     David S. Ferriero\n     Archivist of the United States\n\n\n\n\n      NATIONAL ARCII I V ES           and\n      RECORDS ADM IN ISTRATION\n\n         8601 ADF.II' H I ROAD\n     COLLtGF. I'ARK. MD 20740\xc2\xb7 (>()()1\n            wn\xc2\xb7 w. arch ;vcs .go l'\n\n\n\n\n                                                Page 25\n\n                             National Archives and Records Administration\n\x0c                                                           OIG Audit Report No. 13-09\n\n\nAppendix C - Report Distribution List\n\nArchivist of the United States\nDeputy Archivist of the United States\nChief Operating Officer\nGeneral Counsel\nExecutive for Business Support Services\nExecutive for Information Services/Chief Information Officer\nPerformance and Accountability\n\n\n\n\n                                       Page 26\n                    National Archives and Records Administration\n\x0c"